For years prompt injection was a research curiosity — a clever way to make a chatbot misbehave in a demo. That era is over.
It's named-brand news now
The Guardian's reporting on a Meta AI hack is the kind of headline we said was coming: a trusted assistant, wired to real brands and real users, manipulated through its inputs. Dark Reading, meanwhile, keeps a running tally of the advantages attackers hold over defenders — and LLM-driven systems now sit squarely on that list.
You don't need the mechanics of any single incident to see the pattern. The moment you wire a language model to your data, your tools, or your customers, its inputs become an attack surface. And unlike a SQL injection, the "parser" here is a probabilistic model — you can't fully constrain it by escaping a string.
The numbers were already there
This isn't a surprise. In IBM/Ponemon's 2025 study, 13% of organizations reported a breach of an AI model or application — 97% of which lacked AI access controls — at an average breach cost of $4.44M (IBM, Cost of a Data Breach Report 2025). The headlines are just the part that's finally visible.
What actually holds
Detection — scoring text to guess whether it's an attack — loses the moment an attacker finds phrasing it misreads. Containment is different: it constrains what the model is allowed to emit, in-process, so a successful injection still can't walk your secrets out the door. In our own 88-combination test, bare models leaked a protected secret or brand in 39.8% of cases; the same models behind Bridgekeeper leaked in 0 of 88.
Bridgekeeper reduces and contains prompt-injection leakage. It doesn't promise that no model or prompt can ever be fooled — nothing honest can. What it changes is the consequence when one is.